public void SetOptionalHeader(PeFile peFile)
{
var oh = peFile.ImageNtHeaders.OptionalHeader;
tbMagic.Text = oh.Magic.ToHexString();
tbMajorLinkerVersion.Text = Utility.ToHexString(oh.MajorLinkerVersion);
tbMinorLinkerVersion.Text = Utility.ToHexString(oh.MinorLinkerVersion);
tbSizeOfCode.Text = oh.SizeOfCode.ToHexString();
tbSizeOfInitializedData.Text = oh.SizeOfInitializedData.ToHexString();
tbSizeOfUninitializedData.Text = oh.SizeOfUninitializedData.ToHexString();
tbAddressOfEntryPoint.Text = oh.AddressOfEntryPoint.ToHexString();
tbBaseOfCode.Text = oh.BaseOfCode.ToHexString();
tbBaseOfData.Text = oh.BaseOfData.ToHexString();
tbImageBase.Text = oh.ImageBase.ToHexString();
tbSectionAlignment.Text = oh.SectionAlignment.ToHexString();
tbFileAlignment.Text = oh.FileAlignment.ToHexString();
tbMajorOperatingSystemVersion.Text = oh.MajorOperatingSystemVersion.ToHexString();
tbMinorOperatingSystemVersion.Text = oh.MinorOperatingSystemVersion.ToHexString();
tbMajorImageVersion.Text = oh.MajorImageVersion.ToHexString();
tbMinorImageVersion.Text = oh.MinorImageVersion.ToHexString();
tbMajorSubsystemVersion.Text = oh.MajorSubsystemVersion.ToHexString();
tbMinorSubsystemVersion.Text = oh.MinorSubsystemVersion.ToHexString();
tbWin32VersionValue.Text = oh.Win32VersionValue.ToHexString();
tbSizeOfImage.Text = oh.SizeOfImage.ToHexString();
tbSizeOfHeaders.Text = oh.SizeOfHeaders.ToHexString();
tbCheckSum.Text = oh.CheckSum.ToHexString();
tbSubsystem.Text = oh.Subsystem.ToHexString();
tbDllCharacteristics.Text = oh.DllCharacteristics.ToHexString();
tbSizeOfStackReserve.Text = oh.SizeOfStackReserve.ToHexString();
tbSizeOfStackCommit.Text = oh.SizeOfStackCommit.ToHexString();
tbSizeOfHeapReserve.Text = oh.SizeOfHeapReserve.ToHexString();
tbSizeOfHeapCommit.Text = oh.SizeOfHeapCommit.ToHexString();
tbLoaderFlags.Text = oh.LoaderFlags.ToHexString();
tbNumberOfRvaAndSizes.Text = oh.NumberOfRvaAndSizes.ToHexString();
}
public void SetDebug(PeFile peFile)
{
// Clean
tbDebugCharacteristics.Text = string.Empty;
tbDebugTimeDateStamp.Text = string.Empty;
tbDebugMajorVersion.Text = string.Empty;
tbDebugMinorVersion.Text = string.Empty;
tbDebugType.Text = string.Empty;
tbDebugSizeOfData.Text = string.Empty;
tbDebugAddressOfRawData.Text = string.Empty;
tbDebugPointerToRawData.Text = string.Empty;
if(peFile.ImageDebugDirectory == null)
return;
// Set
tbDebugCharacteristics.Text = peFile.ImageDebugDirectory.Characteristics.ToHexString();
tbDebugTimeDateStamp.Text = peFile.ImageDebugDirectory.TimeDateStamp.ToHexString();
tbDebugMajorVersion.Text = peFile.ImageDebugDirectory.MajorVersion.ToHexString();
tbDebugMinorVersion.Text = peFile.ImageDebugDirectory.MinorVersion.ToHexString();
tbDebugType.Text = peFile.ImageDebugDirectory.Type.ToHexString();
tbDebugSizeOfData.Text = peFile.ImageDebugDirectory.SizeOfData.ToHexString();
tbDebugAddressOfRawData.Text = peFile.ImageDebugDirectory.AddressOfRawData.ToHexString();
tbDebugPointerToRawData.Text = peFile.ImageDebugDirectory.PointerToRawData.ToHexString();
}
public PEImports(string FiletoScan, ref XMLParser raport)
{
try
{
var peHeader = new PeNet.PeFile(FiletoScan);
for (int i = 0; i <= peHeader.ImportedFunctions.Length - 1; i++)
{
if (!DLLs.ContainsKey(peHeader.ImportedFunctions.ElementAt(i).DLL))
{
DLLs.Add(peHeader.ImportedFunctions.ElementAt(i).DLL, new List <string>());
DLLs[peHeader.ImportedFunctions.ElementAt(i).DLL].Add(peHeader.ImportedFunctions.ElementAt(i).Name);
}
if (DLLs.ContainsKey(peHeader.ImportedFunctions.ElementAt(i).DLL))
{
if (!DLLs[peHeader.ImportedFunctions.ElementAt(i).DLL].Contains(peHeader.ImportedFunctions.ElementAt(i).Name))
{
DLLs[peHeader.ImportedFunctions.ElementAt(i).DLL].Add(peHeader.ImportedFunctions.ElementAt(i).Name);
}
}
}
raport.AddPEImportDLL(DLLs);
}
catch (Exception)
{
}
}
public void SetDelayImport(PeFile peFile)
{
// Clean
grAttr.Text = string.Empty;
szName.Text = string.Empty;
phmod.Text = string.Empty;
pIAT.Text = string.Empty;
pINT.Text = string.Empty;
pBoundIAT.Text = string.Empty;
pUnloadIAT.Text = string.Empty;
dwTimeStamp.Text = string.Empty;
if (peFile.ImageDelayImportDescriptor == null)
return;
// Set
grAttr.Text = peFile.ImageDelayImportDescriptor.grAttrs.ToHexString();
szName.Text = peFile.ImageDelayImportDescriptor.szName.ToHexString();
phmod.Text = peFile.ImageDelayImportDescriptor.phmod.ToHexString();
pIAT.Text = peFile.ImageDelayImportDescriptor.pIAT.ToHexString();
pINT.Text = peFile.ImageDelayImportDescriptor.pINT.ToHexString();
pBoundIAT.Text = peFile.ImageDelayImportDescriptor.pBoundIAT.ToHexString();
pUnloadIAT.Text = peFile.ImageDelayImportDescriptor.pUnloadIAT.ToHexString();
dwTimeStamp.Text = peFile.ImageDelayImportDescriptor.dwTimeStamp.ToHexString();
}
public void SetDigSignature(PeFile peFile)
{
// Clear all fields.
cbCertIsSigned.IsChecked = false;
cbCertIsValid.IsChecked = false;
cbCertIsValidChain.IsChecked = false;
tbCertLength.Text = string.Empty;
tbCertRevision.Text = string.Empty;
tbCertType.Text = string.Empty;
cbX509Archived.IsChecked = false;
cbX509HasPrivateKey.IsChecked = false;
tbX509FriendlyName.Text = string.Empty;
tbX509Issuer.Text = string.Empty;
tbX509Thumbprint.Text = string.Empty;
tbX509Version.Text = string.Empty;
tbX509NotAfter.Text = string.Empty;
tbX509NotBefore.Text = string.Empty;
tbX509SerialNumber.Text = string.Empty;
tbX509SignatureAlgorithm.Text = string.Empty;
tbX509Subject.Text = string.Empty;
tbX509PrivateKey.Text = string.Empty;
tbX509PublicKey.Text = string.Empty;
tbX509Extensions.Text = string.Empty;
tbX509CrlUrls.Text = string.Empty;
if (!peFile.IsSigned)
return;
cbCertIsValid.IsChecked = Utility.IsSignatureValid(peFile.FileLocation);
cbCertIsSigned.IsChecked = peFile.IsSigned;
cbCertIsValidChain.IsChecked = peFile.IsValidCertChain(true);
tbCertLength.Text = peFile.WinCertificate.dwLength.ToHexString();
tbCertRevision.Text = peFile.WinCertificate.wRevision.ToHexString();
tbCertType.Text = peFile.WinCertificate.wCertificateType.ToHexString();
cbX509Archived.IsChecked = peFile.PKCS7.Archived;
cbX509HasPrivateKey.IsChecked = peFile.PKCS7.HasPrivateKey;
tbX509FriendlyName.Text = peFile.PKCS7.FriendlyName;
tbX509Issuer.Text = peFile.PKCS7.Issuer.Replace(", ", "\n");
tbX509Thumbprint.Text = peFile.PKCS7.Thumbprint;
tbX509Version.Text = peFile.PKCS7.Version.ToString();
tbX509NotBefore.Text = peFile.PKCS7.NotBefore.ToLongDateString();
tbX509NotAfter.Text = peFile.PKCS7.NotAfter.ToLongDateString();
tbX509SerialNumber.Text = peFile.PKCS7.SerialNumber;
tbX509SignatureAlgorithm.Text = peFile.PKCS7.SignatureAlgorithm.FriendlyName;
tbX509Subject.Text = peFile.PKCS7.Subject.Replace(", ", "\n");
tbX509PublicKey.Text = peFile.PKCS7.PublicKey.EncodedKeyValue.Format(true);
tbX509PrivateKey.Text = peFile.PKCS7.PrivateKey?.ToXmlString(false);
foreach (var x509Extension in peFile.PKCS7.Extensions)
{
tbX509Extensions.Text += $"{x509Extension.Format(true)}\n";
}
foreach (var url in peFile.GetCrlUrlList().Urls)
{
tbX509CrlUrls.Text += $"{url}\n";
}
}
public void SetLoadConfig(PeFile peFile)
{
ClearLoadConfig();
if(peFile.ImageLoadConfigDirectory == null)
return;
Size.Text = peFile.ImageLoadConfigDirectory.Size.ToHexString();
TimeDateStamp.Text = peFile.ImageLoadConfigDirectory.TimeDateStamp.ToHexString();
MajorVersion.Text = peFile.ImageLoadConfigDirectory.MajorVesion.ToHexString();
MinorVersion.Text = peFile.ImageLoadConfigDirectory.MinorVersion.ToHexString();
GlobalFlagsClear.Text = peFile.ImageLoadConfigDirectory.GlobalFlagsClear.ToHexString();
GlobalFlagsSet.Text = peFile.ImageLoadConfigDirectory.GlobalFlagsSet.ToHexString();
CriticalSectionDefaultTimeout.Text =
peFile.ImageLoadConfigDirectory.CriticalSectionDefaultTimeout.ToHexString();
DeCommitTotalFreeThreshold.Text = peFile.ImageLoadConfigDirectory.DeCommitTotalFreeThreshold.ToHexString();
DeCommitFreeBlockThreshold.Text = peFile.ImageLoadConfigDirectory.DeCommitFreeBlockThreshold.ToHexString();
LockPrefixTable.Text = peFile.ImageLoadConfigDirectory.LockPrefixTable.ToHexString();
MaximumAllocationSize.Text = peFile.ImageLoadConfigDirectory.MaximumAllocationSize.ToHexString();
VirtualMemoryThreshold.Text = peFile.ImageLoadConfigDirectory.VirtualMemoryThershold.ToHexString();
ProcessHeapFlags.Text = peFile.ImageLoadConfigDirectory.ProcessHeapFlags.ToHexString();
ProcessAffinityMask.Text = peFile.ImageLoadConfigDirectory.ProcessAffinityMask.ToHexString();
CSDVersion.Text = peFile.ImageLoadConfigDirectory.CSDVersion.ToHexString();
Reserved1.Text = peFile.ImageLoadConfigDirectory.Reserved1.ToHexString();
EditList.Text = peFile.ImageLoadConfigDirectory.EditList.ToHexString();
SecurityCookie.Text = peFile.ImageLoadConfigDirectory.SecurityCoockie.ToHexString();
SEHandlerTable.Text = peFile.ImageLoadConfigDirectory.SEHandlerTable.ToHexString();
SEHandlerCount.Text = peFile.ImageLoadConfigDirectory.SEHandlerCount.ToHexString();
GuardCFCheckFunctionPointer.Text = peFile.ImageLoadConfigDirectory.GuardCFCheckFunctionPointer.ToHexString();
Reserved2.Text = peFile.ImageLoadConfigDirectory.Reserved2.ToHexString();
GuardCFFunctionTable.Text = peFile.ImageLoadConfigDirectory.GuardCFFunctionTable.ToHexString();
GuardCFFunctionCount.Text = peFile.ImageLoadConfigDirectory.GuardCFFunctionCount.ToHexString();
GuardFlags.Text = peFile.ImageLoadConfigDirectory.GuardFlags.ToHexString();
}
public void SetFileInfo(PeFile peFile)
{
tbLocation.Text = peFile.FileLocation;
tbSize.Text = $"{peFile.FileSize} Bytes";
tbMD5.Text = peFile.MD5;
tbSHA1.Text = peFile.SHA1;
tbSHA256.Text = peFile.SHA256;
tbImpHash.Text = peFile.ImpHash;
}
private void SetCallbacks(PeFile peFile)
{
if(peFile.ImageTlsDirectory?.TlsCallbacks == null)
return;
foreach (var cb in peFile.ImageTlsDirectory.TlsCallbacks)
{
Callbacks.Items.Add(new {Callback = cb.Callback.ToHexString()});
}
}
public BasicProperties(string FiletoScan, ref XMLParser raport)
{
try
{
var peHeader = new PeNet.PeFile(FiletoScan);
raport.AddBasicProperties(peHeader.MD5, peHeader.SHA1, AuthentihashCheckSum(FiletoScan), peHeader.ImpHash, MimeGuesser.GuessFileType(FiletoScan).MimeType, peHeader.FileSize.ToString());
}
catch (Exception)
{
raport.AddBasicProperties(MD5CheckSum(FiletoScan), SHA1CheckSum(FiletoScan), AuthentihashCheckSum(FiletoScan), "", MimeGuesser.GuessFileType(FiletoScan).MimeType, "");
}
}
public void SetExports(PeFile peFile)
{
lbExports.Items.Clear();
if (peFile.ExportedFunctions == null)
return;
foreach (var export in peFile.ExportedFunctions)
{
lbExports.Items.Add(new { export.Name, export.Ordinal, RVA = $"0x{export.Address.ToString("X")}" });
}
}
public void SetDirectoryView(PeFile peFile)
{
for (var i = 0; i < peFile.ImageNtHeaders.OptionalHeader.NumberOfRvaAndSizes; i++)
{
dgDirectories.Items.Add(new
{
Number = i,
Name = GetDirectoryNameByIndex(i),
VAddress = peFile.ImageNtHeaders.OptionalHeader.DataDirectory[i].VirtualAddress.ToHexString(),
VSize = peFile.ImageNtHeaders.OptionalHeader.DataDirectory[i].Size.ToHexString()
});
}
}
public void SetFileHeader(PeFile peFile)
{
var fileHeader = peFile.ImageNtHeaders.FileHeader;
var machine = fileHeader.Machine;
var characteristics = fileHeader.Characteristics;
tbMachine.Text = $"{machine.ToHexString()} <-> {Utility.ResolveTargetMachine(machine)}";
tbNumberOfSections.Text = fileHeader.NumberOfSections.ToHexString();
tbTimeDateStamp.Text = fileHeader.TimeDateStamp.ToHexString();
tbPointerToSymbolTable.Text = fileHeader.PointerToSymbolTable.ToHexString();
tbNumberOfSymbols.Text = fileHeader.NumberOfSymbols.ToHexString();
tbSizeOfOptionalHeader.Text = fileHeader.SizeOfOptionalHeader.ToHexString();
tbCharacteristics.Text =
$"{characteristics.ToHexString()}\n\n{Utility.ResolveFileCharacteristics(characteristics)}";
}
public void SetBoundImport(PeFile peFile)
{
// Clean
tbBoundImportNumberOfModuleForwarderRefs.Text = string.Empty;
tbBoundImportOffsetModuleName.Text = string.Empty;
tbBoundImportTimeDateStamp.Text = string.Empty;
if (peFile.ImageBoundImportDescriptor == null)
return;
// Set
tbBoundImportNumberOfModuleForwarderRefs.Text =
peFile.ImageBoundImportDescriptor.NumberOfModuleForwarderRefs.ToHexString();
tbBoundImportOffsetModuleName.Text = peFile.ImageBoundImportDescriptor.OffsetModuleName.ToHexString();
tbBoundImportTimeDateStamp.Text = peFile.ImageBoundImportDescriptor.TimeDateStamp.ToHexString();
}
public void Transform(string filePath)
{
var peFile = new PeNet.PeFile(filePath);
Code = ParseCode(peFile);
UpdateStatistics(Code, m_statistics);
PrintOriginalAssembly(peFile, filePath);
ObfuscateAssembly(filePath, peFile, Code);
PrintNewAssembly(filePath);
PrintNewAssemblyMisinterpreted(filePath, peFile);
}
public void SetTlsDirectory(PeFile peFile)
{
ClearTlsDirectory();
ClearTlsCallbacks();
if(peFile.ImageTlsDirectory == null)
return;
StartAddressOfRawData.Text = peFile.ImageTlsDirectory.StartAddressOfRawData.ToHexString();
EndAddressOfRawData.Text = peFile.ImageTlsDirectory.EndAddressOfRawData.ToHexString();
AddressOfIndex.Text = peFile.ImageTlsDirectory.AddressOfIndex.ToHexString();
AddressOfCallBacks.Text = peFile.ImageTlsDirectory.AddressOfCallBacks.ToHexString();
SizeOfZeroFill.Text = peFile.ImageTlsDirectory.SizeOfZeroFill.ToHexString();
Characteristics.Text = peFile.ImageTlsDirectory.Characteristics.ToHexString();
SetCallbacks(peFile);
}
public void SetRelocations(PeFile peFile)
{
_peFile = peFile;
lbRelocationEntries.Items.Clear();
lbRelocTypeOffsets.Items.Clear();
if (!peFile.HasValidRelocDir)
return;
foreach (var reloc in peFile.ImageRelocationDirectory)
{
lbRelocationEntries.Items.Add(new
{
VirtualAddress = reloc.VirtualAddress.ToHexString(),
SizeOfBlock = reloc.SizeOfBlock.ToHexString()
});
}
}
public void SetException(PeFile peFile)
{
_peFile = peFile;
lbRuntimeFunctions.Items.Clear();
if (peFile.Is32Bit || peFile.RuntimeFunctions == null)
return;
foreach (var rt in peFile.RuntimeFunctions)
{
lbRuntimeFunctions.Items.Add(new
{
FunctionStart = rt.FunctionStart.ToHexString(),
FunctionEnd = rt.FunctionEnd.ToHexString(),
UnwindInfo = rt.UnwindInfo.ToHexString()
});
}
}
public void SetSections(PeFile peFile)
{
var num = 1;
foreach (var sec in peFile.ImageSectionHeaders)
{
var flags = string.Join(", ", Utility.ResolveSectionFlags(sec.Characteristics));
dgSections.Items.Add(new
{
Number = num,
Name = Utility.ResolveSectionName(sec.Name),
VSize = sec.VirtualSize.ToHexString(),
VAddress = sec.VirtualAddress.ToHexString(),
PSize = sec.SizeOfRawData.ToHexString(),
PAddress = sec.PhysicalAddress.ToHexString(),
Flags = sec.Characteristics.ToHexString(),
RFlags = flags
});
num++;
}
}
public PEHeader(string FiletoScan, ref XMLParser raport)
{
try
{
var peHeader = new PeNet.PeFile(FiletoScan);
if (peHeader.ImageNtHeaders.Signature != 17744)
{
throw new ArgumentException("No PE", "original");
}
// 1774 = 4550h czyli po ludzku PE00 kazdy plik PE ma taką wartość, bez niej nie ma sensu sprawdzać header
var containedsections = peHeader.ImageSectionHeaders.Length;
var entrypoint = peHeader.ImageNtHeaders.OptionalHeader.AddressOfEntryPoint;
var targetmachine = PeNet.Utilities.FlagResolver.ResolveTargetMachine(peHeader.ImageNtHeaders.FileHeader.Machine);
var compilationtimestamp = new DateTime(1970, 1, 1, 0, 0, 0, 0, DateTimeKind.Utc).AddSeconds(peHeader.ImageNtHeaders.FileHeader.TimeDateStamp);
raport.AddPEHeader(targetmachine, compilationtimestamp.ToString(), entrypoint.ToString(), containedsections.ToString());
}
catch (Exception)
{
throw new ArgumentException("No PE", "original");
}
}
public void SetImports(PeFile peFile)
{
_peFile = peFile;
lbImportDlls.Items.Clear();
if (peFile.ImportedFunctions == null)
return;
var dllNames = peFile.ImportedFunctions?.Select(x => x.DLL).Distinct();
var dllFunctions = new Dictionary<string, IEnumerable<ImportFunction>>();
foreach (var dllName in dllNames)
{
var functions = peFile.ImportedFunctions.Where(x => x.DLL == dllName);
dllFunctions.Add(dllName, functions);
}
foreach (var kv in dllFunctions)
{
lbImportDlls.Items.Add(new { DLL = kv.Key });
}
}
public PESections(string FiletoScan, ref XMLParser raport)
{
var peHeader = new PeNet.PeFile(FiletoScan);
for (int i = 0; i <= peHeader.ImageSectionHeaders.Length - 1; i++)
{
uint[] byte_count = new uint[256];
byte[] tempmd5 = new byte[peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData];
for (uint j = peHeader.ImageSectionHeaders.ElementAt(i).PointerToRawData;
j < peHeader.ImageSectionHeaders.ElementAt(i).PointerToRawData + peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData; j++)
{
++byte_count[(char)peHeader.Buff[j]];
tempmd5[j - peHeader.ImageSectionHeaders.ElementAt(i).PointerToRawData] = peHeader.Buff[j];
}
using (MD5 MD5 = MD5.Create())
{
raport.AddPESection(PeNet.Utilities.FlagResolver.ResolveSectionName(peHeader.ImageSectionHeaders.ElementAt(i).Name), peHeader.ImageSectionHeaders.ElementAt(i).VirtualAddress.ToString(),
peHeader.ImageSectionHeaders.ElementAt(i).VirtualSize.ToString(), peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData.ToString(),
CountEntropy(byte_count, peHeader.ImageSectionHeaders.ElementAt(i).SizeOfRawData).ToString(), BitConverter.ToString(MD5.ComputeHash(tempmd5)).Replace("-", string.Empty));
}
}
}
public FileversionInfo(string FiletoScan, ref XMLParser raport)
{
this.raport = raport;
FileVersionInfo filever = FileVersionInfo.GetVersionInfo(FiletoScan);
try
{
var peHeader = new PeNet.PeFile(FiletoScan);
if (peHeader.IsSigned)
{
raport.AddFileVersionSigned(filever.Comments != null ? filever.Comments.ToString() : "", filever.CompanyName != null ? filever.CompanyName.ToString() : ""
, filever.FileBuildPart.ToString() ?? "", filever.FileDescription != null ? filever.FileDescription.ToString() : "",
filever.FileVersion != null ? filever.FileVersion.ToString() : "", filever.InternalName != null ? filever.InternalName.ToString() : ""
, filever.Language != null ? filever.Language.ToString() : "", filever.SpecialBuild != null ? filever.SpecialBuild.ToString() : "");
if (peHeader.IsSignatureValid)
{
raport.AddFileVersionSignedValid(peHeader.PKCS7);
}
else
{
raport.AddFileVersionSignedInvalid();
}
}
else
{
raport.AddFileVersionNotSigned(filever.Comments != null ? filever.Comments.ToString() : "", filever.CompanyName != null ? filever.CompanyName.ToString() : ""
, filever.FileBuildPart.ToString() ?? "", filever.FileDescription != null ? filever.FileDescription.ToString() : "",
filever.FileVersion != null ? filever.FileVersion.ToString() : "", filever.InternalName != null ? filever.InternalName.ToString() : ""
, filever.Language != null ? filever.Language.ToString() : "", filever.SpecialBuild != null ? filever.SpecialBuild.ToString() : "");
}
}
catch (Exception)
{
}
}
public void SetDosHeader(PeFile peFile)
{
var magic = peFile.ImageDosHeader.e_magic;
tbe_magic.Text = magic == 0x5A4D ? $"{magic.ToHexString()} <-> MZ" : magic.ToHexString();
tbe_cblp.Text = peFile.ImageDosHeader.e_cblp.ToHexString();
tbe_cp.Text = peFile.ImageDosHeader.e_cp.ToHexString();
tbe_crlc.Text = peFile.ImageDosHeader.e_crlc.ToHexString();
tbe_cparhdr.Text = peFile.ImageDosHeader.e_cparhdr.ToHexString();
tbe_minalloc.Text = peFile.ImageDosHeader.e_minalloc.ToHexString();
tbe_maxalloc.Text = peFile.ImageDosHeader.e_maxalloc.ToHexString();
tbe_ss.Text = peFile.ImageDosHeader.e_ss.ToHexString();
tbe_sp.Text = peFile.ImageDosHeader.e_sp.ToHexString();
tbe_csum.Text = peFile.ImageDosHeader.e_csum.ToHexString();
tbe_ip.Text = peFile.ImageDosHeader.e_ip.ToHexString();
tbe_cs.Text = peFile.ImageDosHeader.e_cs.ToHexString();
tbe_lfarlc.Text = peFile.ImageDosHeader.e_lfarlc.ToHexString();
tbe_ovno.Text = peFile.ImageDosHeader.e_ovno.ToHexString();
tbe_res.Text = peFile.ImageDosHeader.e_res.ToHexString();
tbe_oemid.Text = peFile.ImageDosHeader.e_oemid.ToHexString();
tbe_oeminfo.Text = peFile.ImageDosHeader.e_oeminfo.ToHexString();
tbe_res2.Text = peFile.ImageDosHeader.e_res2.ToHexString();
tbe_lfanew.Text = peFile.ImageDosHeader.e_lfanew.ToHexString();
}
public void SetNtHeader(PeFile peFile)
{
tbSignature.Text = peFile.ImageNtHeaders.Signature.ToHexString();
}
private void FileOpen(string file)
{
// Set status bar location for the file.
tbStatusBarLocation.Text = file;
// Parse the PE file
if (!PeFile.IsPEFile(file))
{
ShowInvalidPeFileMsgBox();
return;
}
PeFile peFile = null;
try
{
peFile = new PeFile(file);
}
catch (Exception)
{
ShowInvalidPeFileMsgBox();
return;
}
_peFile = peFile;
// Set all FileInfo fields.
FileInfo.SetFileInfo(peFile);
// Set the DOS header fields
DosNtHeader.SetDosHeader(peFile);
// Set the PE File fields
DosNtHeader.SetNtHeader(peFile);
// Set the File header
FileHeaderDebug.SetFileHeader(peFile);
// Set the Debug directory.
FileHeaderDebug.SetDebug(peFile);
// Set the Optional header
OptionalHeader.SetOptionalHeader(peFile);
// Set the imports.
Imports.SetImports(peFile);
// Set the exports.
Exports.SetExports(peFile);
// Set the resources.
Resource.SetResources(peFile);
// Set the sections.
SectionHeaders.SetSections(peFile);
// Set the Exception (only for x64)
Exceptions.SetException(peFile);
// Set the Relocations.
Relocation.SetRelocations(peFile);
// Set the Digital Signature information.
Signature.SetDigSignature(peFile);
// Set the Bound Import directory.
DebugBoundImport.SetBoundImport(peFile);
// Set the Delay Import descriptor.
DebugBoundImport.SetDelayImport(peFile);
// Set the TLS directory.
TlsDirectory.SetTlsDirectory(peFile);
// Set the Load Config Directory
LoadConfig.SetLoadConfig(peFile);
// Set the Data Directory View
DirectoryView.SetDirectoryView(peFile);
}
public void SetResources(PeFile peFile)
{
_peFile = peFile;
// Clear the tree.
tbResources.Items.Clear();
// ROOT
var rd = peFile.ImageResourceDirectory;
if (rd == null)
return;
var root = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(null)
{
Header = "Resource Directory"
};
// Type
foreach (var de in rd.DirectoryEntries)
{
MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY> item = null;
if (de.IsIdEntry)
{
item = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de)
{
Header = Utility.ResolveResourceId(de.ID)
};
}
else if (de.IsNamedEntry)
{
item = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de)
{
Header = de.ResolvedName
};
}
// name/IDs
foreach (var de2 in de.ResourceDirectory.DirectoryEntries)
{
MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY> item2 = null;
item2 = new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de2)
{
Header = de2.ID.ToString()
};
foreach (var de3 in de2.ResourceDirectory.DirectoryEntries)
{
item2.Items.Add(new MyTreeViewItem<IMAGE_RESOURCE_DIRECTORY_ENTRY>(de3)
{
Header = de3.ID.ToHexString()
});
}
item?.Items.Add(item2);
}
root.Items.Add(item);
}
tbResources.Items.Add(root);
}
/// <summary>
/// Tries to parse the PE file and checks all directories.
/// </summary>
/// <param name="file">Path to a possible PE file.</param>
/// <returns>
/// True if the file could be parsed as a PE file and
/// all directories are valid.
/// </returns>
public static bool IsValidPEFile(string file)
{
PeFile pe;
try
{
pe = new PeFile(file);
}
catch
{
return false;
}
return pe.IsValidPeFile;
}
